On Tue, 2003-12-02 at 13:47, Phil Driscoll wrote:
They don't care. What will hack into the school network is a bit of software already running on somebody else's compromised machine. It won't know it's hacking a school, it will just run through a big pile of vulnerabilities until it gets in. Once it's in, it will start attacking from your machines.
Let's just go back to first principles for a minute. The DfES E-learning
consultation on strategy implies they want schools to become information
hubs for their communities. So what is the strategy? Read the
consultation document, there is no strategy proposed - there is a desire
for this but no real idea about what it involves or the details of how
it might be achieved either in terms of cost or technical issues. So we
go blindly into LEA consortia because we are told economies of scale
will make it less expensive. (Who told them that? Probably BT, RM et al
who then make a nice little earner) In many cases we can provide a set
of fully managed and secure servers including server support, unlimited
telephone support and as much practical bandwidth as the school wants
and upgrade the servers every 3 years cheaper than the LEA connection.
When I find that a LEA tells a school that it can't have Linux servers
because they don't support it and I say you don't need to, we will and
then they say you can't have remote access except using a Windows only
solution I get just a tad annoyed. Then after a meeting they refer me to
the same clueless minion who I know doesn't understand diddle. Why do we
make the automatic assumption that the LEA knows best and the school
can't make its own security arrangements? Don't assume external security
is all that is needed. Any kid that can hack the local security in their
school from inside can set up a tunnel and let anyone in. If a school
lets us in and sanctions it there is no firewall we can't get through.
No system is ever going to be 100% secure its a compromise between
convenience to the user and risk.
One of the strengths of the Internet is that its devolved. If I leave my
machine open its *my* responsibility if it gets hacked and it won't
affect anyone else but me. As soon as I am lumped into an arbitrary
group I get absolved of responsibility but the downside is I also lose
control over my own machine. Dependency culture. Ok, for primary schools
there might have to be some sort of grouping to get sufficient economy
of scale but there is a balance to be had between the restrictions of
everyone having to do the same thing across several LEAs with a
megalithic bureaucratic structure that is completely unresponsive to
individuals and a few schools sharing resources. Large secondary schools
have the budgets to be largely self-sufficient in these things. What
happened to local management of schools?
Yes, I have a vested interest because I run a small company and its
unlikely that we will get a LEA contract to manage an entire broadband
consortium, and our business is dealing with enlightened and innovative
schools at grass roots, but consider that we have probably put more KDE
desktops in schools than all BECTA approved suppliers put together. If
you make the system so centralised that is squeezes out small businesses
you can say goodbye to innovation like getting Linux at the desktop into
schools. BECTa is now doing a TCO survey including the schools we have
supported - fortunately we now have some significant case studies and
this is another step on the road to acceptance. I can understand why few
companies have done what we have. Its extremely hard work, there is a
lot of potential risk to the company and it seems everyone simply wants
to put obstacles in the way. But in the end its worth making the effort
because its the right thing to do. Its a matter of patience, eating the
elephant a bite at a time and not giving up because the task seems
impossible. Stranger things have happened throughout history than us
managing a group of Linux servers through an LEA firewall ;-)
--
ian